Jackass of the Week: Larry Seltzer

Sunday, 19 November 2006

The verdict is in: OS X is as insecure as anything out there,
but somehow nobody — including attackers — cares.

That’s quite a verdict.

When it first came out in July, Symantec’s report “The Mac OS
X Threat Landscape: An Overview” revealed a collection of
vulnerabilities and potential attacks that rivaled any major
operating system (at least in their shipping versions).

The updated version, released earlier this week, reinforces
these conclusions, and in fact things are getting worse.

Symantec’s report is, in fact, interesting, and for the most part fair1. It does list an assortment of known vulnerabilities and areas of potential attack against Mac OS X, but nowhere in the report does it indicate that the “collection” as a whole rivals that of any other operating system. Nor does the document indicate that much, if anything, regarding Mac OS X security has gotten worse since the initial version of the report in July 2006.

What the Symantec report proves is that Mac OS X is not somehow magically invulnerable or immune to security exploits, which is a position no one but utter fools has ever espoused. Seltzer’s logic seems to be that an operating system is either invulnerable or vulnerable, and since Mac OS X is vulnerable, that means it’s in the same position as Windows.

That leaves Seltzer with the problem of explaining why Mac OS X doesn’t suffer from a comparable number of actual attacks as does Windows or other systems.

OK! I’m sold! Mac OS X has myriad opportunity for attack. So where
are all the attacks? How come there aren’t armies of Mac botnets?
Why aren’t there scores of new malware samples for the Mac every
day?

The report focuses its attention on the obvious answer, the
standard one for this question: The Mac is less popular, so
there’s less incentive to write exploits and malware for it.
There’s as much reason to believe this as ever, since overall Mac
market share hasn’t moved much in the last few years, in spite of
stories about its tremendous growth.

First, what stories about its tremendous market share growth? Seriously — where are these stories?

Second, given that Mac OS X has about 6 percent total market share in the U.S. and something like 2 or 3 percent worldwide, how come Mac OS X’s share of actual security exploits — not just potential vulnerabilities but actual malicious spyware, viruses, worms, adware, etc. — is effectively zero percent? That’s the real question.

If your argument is that it’s not economically feasible — i.e. why would any spyware/adware author target Mac OS X instead of the monopoly-sized Windows market? — then how do you explain the non-malware Mac software market? Now maybe it’s true — I really don’t know — that Windows has 95 percent of the total OS market share but more than 95 percent of the software. Maybe a monopoly-size share of the OS market in turn generates an even more disproportionate share of the software market. But Mac OS X’s share of the malware market isn’t just disproportionately low — it’s nearly zero.

And if you’re not talking about economics, if you’re talking about malware written out of spite or maliciousness, or from socially maladjusted frigtards — then it’s even more baffling why Mac OS X’s malware market share hovers near zero (as did the classic Mac OS’s a decade ago). If there’s one firm conclusion to be drawn from the MacBook Wi-Fi hack fiasco in August, it’s that you can get a hell of a lot more attention for a Mac OS X exploit that you never even release or prove actually exists than you can get for an actual released-into-the-wild Windows exploit.

Seltzer continues:

There are even fewer Linux or Solaris systems out there, and
they get attacked all the time, both through kernel
vulnerabilities and application bugs. What explains this
difference? Perhaps those who research and write attacks are
more familiar with Linux and Solaris. Perhaps these systems are
more likely to be servers and therefore more easily targeted for
attack.

If Mac OS X is protected because it’s not primarily used as a server OS, then how do you explain Windows’s non-server security problems?

Perhaps these systems are more likely to be business systems and
are therefore a better target.

Business systems. So it’s not like millions of home PCs running Windows are infested with various sorts of malware?

I’m still stumped. All of these explanations make sense, and
somehow they’re all unsatisfying. One thing is clear: Mac users
are really lucky so far.

They’re unsatisfying because they don’t make any sense at all. Seltzer’s conclusion is that Mac users have been safe only because they’ve been lucky? The explanation that makes sense is the obvious one: that Mac OS X really is more secure and better designed. Not that it’s totally secure. Not that it’s perfectly designed. Not that it is utterly impervious to attack because it’s protected by magic leprechauns. Just that it’s better.

Previous Fireballs You Might Enjoy

For just one example of the not-so-fair-and-accurate aspects of the Symantec report, consider this passage in the section on kernel attack research:

At Blackhat [sic] 2006, David Maynor and Johnny Cache also demonstrated
the possibility of successfully exploiting remote kernel
vulnerabilities in wireless drivers to execute a supplied payload.
The demonstration was done on a Mac OS X laptop. The payload or
exploit used in the attack was never released.

Needless to say to anyone who’s a regular Daring Fireball reader, that saga is not exactly a scathing indictment of Mac OS X security. “The payload or exploit used in the attack” not only was never released, it was never demonstrated to expert observers. ↩︎

I really like my definition of a “regular” (i.e. non-computer-nerd) person in this one. ↩︎